DRIPA may be ok but what next for the Snooper’s Charter and UK adequacy?

The new Prime Minister won’t have welcomed the publication yesterday of the European Court of Justice (ECJ) advocate general’s legal opinion since it has potentially worrying implications for her Investigatory Powers Bill (dubbed by the media as the ‘Snooper’s Charter’) and UK data transfers in a post-Brexit era.

In a case initiated by a member of her own cabinet (David Davis, now minister for Brexit resulting in him dropping his name from the action at the beginning of this week), Labour MP Tom Watson and others, the matter concerned the data retention obligations placed on electronic communications services under the Data Retention and Investigatory Powers Act (DRIPA). The ECJ case linked these proceedings with a Swedish case on a similar point.

First it is worth noting that the Advocate General’s opinion is not legally binding and is only a recommendation. However it is often followed by the ECJ and his comments are interesting. In particular, he noted that, in his view, DRIPA and similar legislation are not necessarily incompatible with EU law as such. In this respect it does open up the potential for blanket retention provisions in certain circumstances and therefore goes further than many had expected. However, significantly, he sets out several key conditions which national legislation containing retention obligations must meet in order for this to be the case. The conditions are that the data retention obligations:

must possess the characteristics of “accessibility, foreseeability and adequate protection against arbitrary interference”;

must observe the essence of the rights recognised by Articles 7 and 8 of the Charter of Fundamental Rights;

must be strictly necessary in the fight against serious crime, which means that no other measure or combination of measures could be as effective in the fight against serious crime while at the same time interfering to a lesser extent with the rights enshrined in Directive 2002/58 and Articles 7 and 8 of the Charter of Fundamental Rights;

must be accompanied by all the safeguards described by the Court in paragraphs 60 to 68 of its judgment of 8 April 2014 in the Digital Rights Ireland case concerning access to the data, the period of retention and the protection and security of the data, in order to limit the interference with the rights enshrined in Directive 2002/58 and Articles 7 and 8 of the Charter of Fundamental Rights to what is strictly necessary; and

must be proportionate, within a democratic society, to the objective of fighting serious crime, which means that the serious risks engendered by the obligation, in a democratic society, must not be disproportionate to the advantages which it offers in the fight against serious crime.

So, quite a few conditions there! Ultimately he says that whether these conditions are met is a matter for the national courts to determine and therefore he doesn’t in fact opine on whether DRIPA does or does not meet such conditions.

What is of most interest in this opinion for privacy lawyers is that the Snooper’s Charter would almost certainly not meet these conditions. Notably, the bill is not limited to retention for fighting serious crime, but contains various other justifications. The implication for this is that, were the Snooper’s Charter to pass in its current or similar form, whilst the UK remains in the EU it could be open to challenge and, if and when the UK leaves, this could cause serious problems for the UK in claiming adequacy (through white list status or otherwise) for the purposes of data transfers. All the more likely to be a problem in a post-Schrems and Snowden era.

The next step is to await the ECJ’s judgment and also the final reading of the Snooper’s Charter and then the position and potential ramifications should be clearer.